Nextcloud Calendar attachments of local files are offered to downloaded
CVE-2025-66550

5.7MEDIUM

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 5 December 2025

🔔 Create Nextcloud Vulnerability Alert

What is CVE-2025-66550?

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Affected Version(s)

security-advisories >= 5.0.0-rc.1, < 5.2.4 < 5.0.0-rc.1, 5.2.4

security-advisories < 4.7.17 < 4.7.17

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

https://github.com/nextcloud/calendar/pull/6971

x_refsource_MISC

https://github.com/nextcloud/calendar/commit/63a6c398db01...

x_refsource_MISC

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 4, 2025

.

CVE-2025-66550 : Improper Download Verification in Nextcloud Calendar App